Cybercrime is accelerating rapidly during the COVID-19 outbreak. Family enterprises and offices need to tighten their cybersecurity.

Cyber attacks are accelerating as criminals and other threat actors seek to exploit the disruption caused by the COVID-19 pandemic. Businesses scramble to implement sweeping remote work practices and online-only interactions with employees, customers and vendors, and these changes have come with heightened cybersecurity risks. Some Family Enterprises (FEs) and Family Offices (FOs) are recognizing the danger, and taking steps to increase cybersecurity capabilities, but others need to catch up quickly.

Even before the pandemic, some FEs and FOs were lagging behind in cybersecurity practices. Historically, cybersecurity in FOs and smaller FEs has focused on finances (e.g., making sure money is not transferred mistakenly or fraudulently). But as information has moved to the cloud and social media, the walls of these businesses have expanded — opening many more opportunities for attack.

Threats from all directions: phishing, data theft, remote work

According to a recent article by Kris Lovejoy, EY Global Advisory Cybersecurity Leader, the rush to remote work and the general sense of panic set off by COVID-19 has opened the door to a wide range of additional cybersecurity risks that FEs must attend to urgently:

Increased remote work: Threat actors are taking advantage of cybersecurity holes caused by widespread telecommuting, such as increased pressure on IT teams, users bypassing cybersecurity leading practices and remote administration of critical information.

Increased phishing and malicious content: Threat actors have significantly increased their use of phishing, malicious sites and business email compromise attempts linked to the pandemic.

COVID-19 has made it more pressing than ever that family firms develop control structures that create a protective stance and readiness to respond.

Paul McKibbin

EY Americas Family Office Advisory Managing Director

The principal risk

FOs and FEs add yet another risk to this list: the families themselves. In FOs and smaller FEs, the person in charge of IT may not have control over the actions of principals and their family members. There is no chief information security officer with tight rein over devices, access and usage, as there is in large enterprises. Instead, there is a small staff that must try to manage IT controls with governance, frequent education and personal influence.

Family members range from tech-savvy teenagers to tech-averse octogenarians and everyone in between. They may use personal emails or follow substandard mobile security practices, leaving them — and their family firms — open to malware, phishing attacks and wire fraud, all on the rise during the pandemic.

For example, if a principal is dedicated to using a non-supported android phone and routinely downloads non-supported apps from unapproved app stores, they are very likely to accidentally install malware, handing full access over to an attacker.

That attacker may spend months monitoring the victim’s correspondence, their movements and their communication style to mimic them effectively. They can then use this knowledge and access to give disastrous directions to employees, like ordering an employee to make a seven-figure wire transfer, using the principal’s own mobile device and email account.

Much of the reputational risk is in their broader footprint, out in the world, not within a server. That information footprint is less in their control.

Haris Shawl

Cybersecurity Senior Manager, Ernst & Young LLP

Reputation and privacy must be protected

At their most severe, cyber attacks can be devastating to a family firm’s legacy. An attack could threaten reputation by associating the family’s name and brand with a scam or unreliable product, or it could bring down systems, leading to a serious disruption in customer service or employees’ ability to work. In research completed for the latest Global Capital Confidence Barometer, 24% of 394 FE leaders in middle-market companies named reputational damage as their greatest fear related to cybersecurity.

Cyber threats are increasingly placing family firms’ reputations at risk in a way that many are not yet sufficiently protected against.

Adam Wright

Cybersecurity Managing Director, Ernst & Young LLP

For many FEs, the brand is synonymous with the family name, and that name carries tremendous social capital. When the family name is tarnished, so is the brand. One very well-known family name has been used without the family’s consent to sell dubious financial products via social media. The family has spent years carefully curating their name and their brand, ensuring that it is associated only with the products, services and causes they believe in. Now the brand is at risk through no fault of their own.

Reputational risk

24%

of family enterprise leaders in middle-market companies named reputational damage as their greatest fear related to cybersecurity.

FOs also carry data privacy risks, and when private family information and correspondence are stolen or leaked, it can create serious reputational damage and risk of litigation. With only a handful of employees, FOs have limited tools and talent to monitor and ensure the data privacy of the principals. Even when they invest in leading-class cybersecurity technology, too often they take a “set it and forget it” posture. The systems are doing what they are supposed to do, but FOs lack the in-house expertise to monitor and act on what the systems are telling them.

An FO sometimes sits within the FE so it can leverage the resources of the larger organization. However, that model puts private family information in the same systems as FE business information, where it is subject to additional threats from inside and outside the FE.

Cybersecurity steps for FEs and FOs in the short and long term

The good news is that there are steps FEs and FOs can take to protect their firms and families in order to lower these risks. “Those organizations that really push for that proactive involvement of cybersecurity are going to see very significant business benefits in both the near term and the long term,” says Dave Burg, EY Americas Cybersecurity Leader. This will require both immediate steps and a long-term change of approach.

In the short term, to fend off the increase of cyber attacks due to the pandemic, FEs and FOs should:

Make and keep an inventory of all routers and devices, and sensitive data on them, including those used in family members’ homes

Maintain these devices with updated antivirus and firewall software; keep all software current and assess for vulnerability at least annually

Use email encryption tools for any confidential messages and ask clients to validate any new account openings, credit requests and similar activity

Monitor (or use an external firm to monitor) all networks 24 hours a day looking for signs of an intrusion and shut them down if there is an attack

Store backups offsite or in a secure cloud repository

Conduct financial and criminal background checks on new staff and vendors and annually thereafter

In the longer term, FEs and FOs need to change the way they look at cybersecurity. Recognize that breaches and social media threats will happen, and the job of the FE and FO is to respond effectively and minimize the damage.

Work closely with principals, their families and employees to:

Identify the scenarios that would impact them most, their risk tolerances and their pain points

Continually educate all principals, family members and their households on the importance of adhering to these controls and the risks they face if they don’t

Protecting the legacy

Family firms need to protect their names, their brands and the organizations they have built over generations. Failure to do so can be catastrophic, but with the right approach, security technologies and control structures can help them protect their legacies for years to come.

Summary

Cyber attacks and cyber fraud are rising rapidly during the COVID-19 pandemic. These can be devastating to a family enterprise’s reputation and legacy. Some family firms are taking steps to increase cybersecurity capabilities, but others are lagging behind. Family enterprises can protect their legacy if they act quickly and decisively.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.

EY is a global leader in assurance, tax, transaction and advisory services. The insights and quality services we deliver help build trust and confidence in the capital markets and in economies the world over. We develop outstanding leaders who team to deliver on our promises to all of our stakeholders. In so doing, we play a critical role in building a better working world for our people, for our clients and for our communities.

EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients. For more information about our organization, please visit ey.com.

This material has been prepared for general informational purposes only and is not intended to be relied upon as accounting, tax, or other professional advice. Please refer to your advisors for specific advice.

Welcome to EY.com

In addition to cookies that are strictly necessary to operate this website, we use the following types of cookies to improve your experience and our services: Functional cookies to enhance your experience (e.g. remember settings), Performance cookies to measure the website's performance and improve your experience, Advertising/Targeting cookies, which are set by third parties with whom we execute advertising campaigns and allow us to provide you with advertisements relevant to you, Social media cookies, which allow you to share the content on this website on social media like Facebook and Twitter.

You may withdraw your consent to cookies at any time once you have entered the website through a link in the privacy policy, which you can find at the bottom of each page on the website.